fix: escape awesomeplete label titles

2023-09-11 22:01:01 +05:30 · 2023-09-11 22:01:01 +05:30 · 045d35b89e
commit 045d35b89e
parent ebfdfa283b
1 changed files with 1 additions and 1 deletions
--- a/frappe/public/js/frappe/form/controls/link.js
+++ b/frappe/public/js/frappe/form/controls/link.js
@ -221,7 +221,7 @@ frappe.ui.form.ControlLink = class ControlLink extends frappe.ui.form.ControlDat
 				return $("<li></li>")
 					.data("item.autocomplete", d)
 					.prop("aria-selected", "false")
-					.html(`<a><p title="${_label}">${html}</p></a>`)
+					.html(`<a><p title="${frappe.utils.escape_html(_label)}">${html}</p></a>`)
 					.get(0);
 			},
 			sort: function () {